Saturday, April 5, 2014

Analyzing the "Power Worm" PowerShell-based Malware

On March 27, 2014, Trend Micro revealed the so called “Power Worm” PowerShell-based malware that is actively being used in the wild. With so few publicly reported instances of PowerShell malware in existence, I was excited to get my hands on this most recent strain of PowerShell-based malware. Unable to track it down on my own, I reached out to the security and PowerShell communities. It was with great relief that my friend Lee Holmes – PowerShell developer extraordinaire and author of the Windows PowerShell Cookbook kindly provided me with all of the samples described in the Trend Micro post.

While the Trend Micro post was thorough in its coverage of the broader capabilities of the malware, they did not provide an analysis of its implementation which, as a PowerShell enthusiast and malware analyst, I was very interested in. That said, what follows is my analysis of the mechanics of the Office document infecting malware. Since there were multiple payloads associated with “Power Worm.” I decided to focus on the X97M_CRIGENT.A payload – a malicious Excel spreadsheet.

People have asked, “Wouldn’t the PowerShell execution policy potentially mitigate this attack?” No. First of all, the execution policy should not be viewed as a security mitigation considering PowerShell itself provides the mechanism to bypass it. Second, the execution policy is not honored when a Base64 encoded command is provided to the ‘-EncodedCommand’ parameter. Malware authors know this and will never run into a situation where the execution policy is the reason their malicious PowerShell code was prevented from executing. Having macros disabled by default prevents the initial infection, but all it takes is a naïve victim to click a single button to enable macros.

The ‘Workbook_Open’ function will execute automatically upon opening an Excel spreadsheet (assuming macros are allowed to execute). After decoding the Base64-encoded PowerShell command, you will be presented with an obfuscated mess consisting of the following:

The payload is a single line of semicolon delimited PowerShell commands.

Junk strings that have no impact on the script are inserted between each command.

All variables and function names are randomly generated and have no logical meaning.

Lastly, some functions used in the script are not implemented until a subsequent payload is downloaded from the command and control (C2) server.

I rewrote all of the “Power Worm” malware (redacting key portions) that I was able to obtain so that those interested don’t have to be bogged down with difficult to understand obfuscated code. I also created a PowerWorm GitHub repo where you will find the following code:

As soon as the macro executes and launches PowerShell, the following code is executed:

Suppress error messages.

Obtain the machine GUID with WMI. This unique value specific to your system is used throughout the malware as a directory name to store downloaded files, registry key names where additional payload are persisted, and as a unique identifier for the C2 server.

Next, If the malware is already persistent in the registry, don’t bother running the payload again. It will execute again at next reboot.

Define a function to resolve DNS TXT records and download and decompress a zip file located at the URI in the resolved TXT record. Both Tor and Polipo are downloaded via this function.

Mark the downloaded file directory as hidden.

The next portion of the payload executes tor and polipo, a requirement for communicating with the C2 server and downloads and executes the next stage of the attack:

For those unfamiliar with common malware techniques, what should be worrisome about the fact that additional PowerShell code is downloaded and executed is that the malware authors have complete control over the downloaded content. The analysis that follows describes the instance of the malware that I downloaded. The malware authors could very well change the payload at any time.

The downloaded payload starts by persisting three additional Base64-encoded payloads to the registry.

The Trend Micro article neglected to mention the two payloads saved in the registry at the following locations:

$EncodedPayload1 and $EncodedPayload2 are essentially equivalent to the initial payload included in the Excel macro – they serve to reinfect the system and download/execute any additional payloads. $EncodedPayload3 contains all the logic to infect Office documents.

The malware then collects information about the compromised system and uploads it to the C2 server.

Finally, the Office document infection functions are called and if an additional payload is available, it is executed. I was unable to retrieve the additional payload during my analysis.

The Office document infection payload implements the following functions:

Start-NewDriveInfection – Registers a WMI event that detects when a new drive is added (e.g. USB thumb drive) and infects all Office documents present on the drive

After the registry values are set, you will no longer be prompted to enable macros. They will execute automatically without your knowledge. Also, be mindful that if a macro is present in an Office document and you attempt to analyze it with the Word.Application and Excel.Application COM objects, the macro security settings are not honored and the macro will execute without your permission. Before opening an Office document with the COM objects, you must explicitly disallow the execution of macros by setting the ‘AutomationSecurity’ property to ‘msoAutomationSecurityForceDisable’.

The Word document infector is implemented as follows:

What’s interesting is that once the macro is written to the Word document, it is downgraded to a ‘macro-enabled’ .doc file.

Once a document or spreadsheet is infected, it will download and execute another PowerShell payload. I was unable to successfully download any additional payloads during my analysis. Either I was not emulating C2 communication properly or the payload was not made available at the time.

So in the end, I was rather impressed by the effectiveness of which the PowerShell payloads infected Office documents. It has yet to be seen though the true power of this malware until additional malicious payloads can be downloaded from the C2 server.

Should you become the victim of a “Power Worm” infection or any malicious Office document for that matter, I’ve provided tools to detect and remove “Power Worm” and Word/Excel macros. You can download these tools from my Github repo.

20 comments:

My read is that they are just using PowerShell because it is a nice powerful language and that if PowerShell wasn't there, they could do the same things another way but it would be harder. Is that correct?

From your analysis, is there anything that we can/should be doing in PowerShell that would help protect users from attacks like this?

You're absolutely right. If PowerShell wasn't there, they would have most likely stuck to VBScript to infect Office documents as well as to download and execute PE executables. Using PowerShell offers the flexibility to do everything without having to drop any binaries to disk.

My best recommendation for improving the overall PowerShell security model would be to emulate the Windows RT implementation of PowerShell - enable constrained language mode by default. While it wouldn't remove the impact of malicious PowerShell scripts altogether, it would severely limit the impact out of the box.

That's an interesting idea, though it would cripple a lot of legitimate PowerShell use as well. Ideally, there would be ways to enable full language mode while still maintaining a reasonable barrier against malicious code. Perhaps signed scripts from trusted publishers automatically run in full language mode, and add a cmdlet that presents a UAC-style prompt on the secure desktop, if a user wants to enable full language mode in an interactive console.

You're right about constrained language crippling legitimate uses of PowerShell. It was implied but I should have explicitly stated that from an elevated prompt you would be able set non-admin language modes accordingly. Just like Set-ExecutionPolicy, I imagine a cmdlet like Set-LanguageMode that can only be set from an elevated session.

Regardless of the implementation, I think it's safe to say that unless restrictions are put in place out of the box in PowerShell for non-admins, malware like this will continue to flourish and be successful (unless the user is already running as admin, of course).

I would suggest starting a "Great Debate" on powershell.org discussing reasonable implementations for locking down PowerShell out of the box. It would be great way to get the broader public engaged on an important topic like this.

To Alex and any others that are trying to create signatures for the malware:

In one of the instances for the encoded powershell scripts, when I decoded the Base64 string, there was a lot of gibberish between different lines of code. A smart hacker would modify the script by adding any random strings as you will see below. When Base64 encoded, this will result in a different signature (i.e. they could replace 'TYfpMAifj'; with 'sSDrgoSqd';). Just something to be aware of.

There is a updated version of this, possible the payload that didnt execute as you were talking about that encrypts the victims files. I have analysed it, and also have gotten it to a readable state. If your interested i have explained it here:http://www.bleepingcomputer.com/forums/t/530294/poshcoder-malware-removal/?p=3338793

From your third paragraph and "The payload is a single line of semicolon delimited PowerShell commands." Correct me if I'm misunderstanding this but, is this to say that even if you have a *restricted* execution policy the malware would still run so long as PowerShell is present?

That's correct. The execution policy restricts the execution of scripts (i.e. ps1, psm1 files). The execution policy has no effect on commands passed via -Command, -EncodedCommand, or in the shell itself.

By all means, validate these claims yourself and please tell your colleagues that malware authors know this and will never run into a situation where the execution policy is the reason their malicious PowerShell code was prevented from executing. :)